In September 2021, Quebec’s Parliament updated its data privacy regime by passing the Act to Modernize Legislative Provisions as Regards the Protection of Personal Information, 2021 (“Law 25”). It is critical to determine whether an organization is subject to Law 25, as there are potential fines of up to 4% of an organization’s worldwide turnover.[1]

Overall, there is no explicit nonprofit exemption within Law 25. However, Law 25’s applicability to nonprofits depends on the specific processing and commercial activities of the entity.

Click here for an introduction to Law 25.

Are You an Enterprise?   

The key question for Law 25 applicability is whether the entity is considered an “enterprise” under Quebec law.[2] Yet, Law 25 does not itself define the term “enterprise.” Instead, Quebec’s civil code provides the basic definition. Under Quebec law, an enterprise is an “organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.”[3]

Quebec’s data protection authority, Commission d’accès à l’information du Québec (CAI) has further refined the term “enterprise” in relation to data privacy in Quebec. The CAI outlined four elements that should be considered when determining whether an entity is an “enterprise”:[4]

  1. the operations of the enterprise constitute jurisdictional acts, which are repetitive;
  2. there exists a coordination between human and material resources; 
  3. the organization aims to respond to and satisfy certain needs; and
  4. the success depends on similar standards related to market forces and the efforts the businessperson deploys.

When making a determination, the organization’s main activity – not its ancillary activity – is the primary focus of the inquiry.[5]

Besides the four elements, case law has provided some examples of entities that are considered “enterprises” under Quebec law. For example, unions and private clinics, such as a psychiatrist, are both considered enterprises and thus would be subject to Law 25.[6]  However, spiritual organizations, like the Jehovah’s Witnesses, and religions are not considered enterprises because their main purposes are spiritual, not economic.

Consequences

When determining compliance with any law, one of the first and most important steps is to examine applicability of the law. Determining Law 25’s applicability to nonprofits requires a detailed and fact-specific analysis. Where applicability is not clear, it is critical to consider the four factors listed above and to compare the entity’s operations to case law.

[1] *Greenberg Traurig is not licensed to practice law in Canada and does not advise on Canada law. Specific Canada law questions and Canada legal compliance issues will be referred to lawyers licensed to practice law in Canada.

[2] Law 25, section 1.

[3] Quebec Civil Code, 1525.

[4] Learning From a Decade of Experience: Quebec’s Private Sector Privacy Act, 1.2.1   

[5] Id. at 1.2.2.

[6] Id. at 1.2.3 and 1.2.4.